[AZ-777] Phase 1 hotfix (z/x/y) + Phase 2 Derkachi seed + ops

Phase 1 hotfix:
- C11 HttpTileDownloader adapted to satellite-provider v2.0.0
  z/x/y inventory contract (bulk POST keyed by slippy-map coords).
- Unit tests rewritten to exercise the new inventory schema.
- E2E smoke test updated to match the v2.0.0 wire.

Phase 2 (Derkachi seed + smoke-validated on Jetson):
- tests/fixtures/derkachi_c6/{README,bbox.yaml,seed_region.py}
  drives POST /api/satellite/region against satellite-provider
  with Google Maps as the imagery source. Smoke run produced
  4 regions, 175 tiles, inventory 32/32.
- scripts/mint_dev_jwt.py + run-tests-jetson.sh auto-mint and
  export SATELLITE_PROVIDER_API_KEY using JWT_SECRET / JWT_ISSUER
  / JWT_AUDIENCE env vars (no host port mappings; e2e-runner
  reaches SP via internal docker network only).

Spec amendment: AZ-777 todo spec updated to record the
Google Maps imagery source decision and STOP-gate state.

AZ-777 Phase 3+ work is superseded by Epic AZ-835 (see next
commit).

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/run-tests-jetson.sh

@@ -81,6 +81,21 @@ if [ "${#JWT_SECRET}" -lt 32 ]; then
     exit 70
 fi
 
+# AZ-777 Phase 1: the e2e-runner needs a Bearer token to call the real
+# satellite-provider. If the caller didn't pre-export SATELLITE_PROVIDER_API_KEY
+# (preferred for CI / repeatable runs), mint a fresh dev JWT here using the
+# same JWT_SECRET / JWT_ISSUER / JWT_AUDIENCE the producer validates against.
+if [ -z "${SATELLITE_PROVIDER_API_KEY:-}" ]; then
+    echo "[run-tests-jetson] minting fresh dev JWT via scripts/mint_dev_jwt.py"
+    if ! SATELLITE_PROVIDER_API_KEY=$(python3 "${SCRIPT_DIR}/mint_dev_jwt.py" \
+            --subject e2e-runner-jetson 2>&1); then
+        echo "ERROR: mint_dev_jwt.py failed:" >&2
+        echo "${SATELLITE_PROVIDER_API_KEY}" >&2
+        exit 71
+    fi
+    export SATELLITE_PROVIDER_API_KEY
+fi
+
 # Pre-quote the env vars for safe heredoc injection. `${var@Q}` would be
 # cleaner but it requires bash 4.4+; macOS ships bash 3.2 and we want to
 # stay portable. `printf %q` is in bash 2+.
@@ -88,6 +103,7 @@ JWT_SECRET_Q=$(printf '%q' "${JWT_SECRET}")
 JWT_ISSUER_Q=$(printf '%q' "${JWT_ISSUER}")
 JWT_AUDIENCE_Q=$(printf '%q' "${JWT_AUDIENCE}")
 GOOGLE_MAPS_API_KEY_Q=$(printf '%q' "${GOOGLE_MAPS_API_KEY:-}")
+SATELLITE_PROVIDER_API_KEY_Q=$(printf '%q' "${SATELLITE_PROVIDER_API_KEY}")
 
 # ----------------------------------------------------------------------
 # Pre-flight
@@ -208,6 +224,7 @@ export JWT_SECRET=${JWT_SECRET_Q}
 export JWT_ISSUER=${JWT_ISSUER_Q}
 export JWT_AUDIENCE=${JWT_AUDIENCE_Q}
 export GOOGLE_MAPS_API_KEY=${GOOGLE_MAPS_API_KEY_Q}
+export SATELLITE_PROVIDER_API_KEY=${SATELLITE_PROVIDER_API_KEY_Q}
 cd "${REMOTE_DIR}"
 docker compose -f "${COMPOSE_FILE}" build e2e-runner satellite-provider
 EOF
@@ -226,6 +243,7 @@ export JWT_SECRET=${JWT_SECRET_Q}
 export JWT_ISSUER=${JWT_ISSUER_Q}
 export JWT_AUDIENCE=${JWT_AUDIENCE_Q}
 export GOOGLE_MAPS_API_KEY=${GOOGLE_MAPS_API_KEY_Q}
+export SATELLITE_PROVIDER_API_KEY=${SATELLITE_PROVIDER_API_KEY_Q}
 cd "${REMOTE_DIR}"
 exec docker compose -f "${COMPOSE_FILE}" up \
     --abort-on-container-exit \